Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

Testifying before the US House Intelligence Committee Committee, FBI Director James Comey and NSA Director Michael Rogers cautioned that Russia is likely to interfere in US elections in 2018 and 2020 because of its success interfering in the 2016 presidential election. The FBI and the NSA are working with European counterparts to help prevent Russian interference in elections there.

Cisco Discloses Flaw Leaked in Vault 7
(March 19 & 20, 2017)

Cisco has disclosed a vulnerability that affects more than 300 of its switches. The flaw could be exploited to remotely take control of vulnerable devices. No fix is currently available; Cisco plans to develop patches. The issue lies in Cisco Cluster Management Protocol processing code in its IOS and IOS XE software. Cisco uncovered the issue during its own "analysis of documents related to the Vault 7 disclosure."

[Editor Comments]

[Murray] I fail to see the good in talking about a vulnerability for which one does not have a fix or a work-around. What am I missing?

[Williams] The leaked documents offer insight into the mindset and tradecraft of nation state hackers, but this Cisco vulnerability specifically offers never before seen insight into the Vulnerabilities Equities Process (VEP0. If a vulnerability this serious and widespread wasn't disclosed through the VEP, one must wonder exactly how high the bar is for disclosure.

Atlassian Makes Struts Patches Available
(March 20, 2017)

Atlassian has made available patches for the Apache Struts 2 vulnerability. Fixes are available for Atlassian's Bamboo, Crowd, and HipChat Server products. Atlassian has already patched its cloud services.

Git Moving in Direction of Replacing SHA-1
(March 20, 2017)

Git is starting to move away from SHA-1 hash function after Google announced that it hade developed a SHA-1 collision attack. Although Linus Torvalds has observed that in the Git community, SHA-1 is used for version control rather than security, he did raise the question of the best way to replace SHA-1.

[Editor Comments]

[Murray] The "best way to replace SHA-1" is efficiently rather than urgently. What the Google demonstration proved is that, while perhaps easier than previously thought, finding collisions is still too expensive to constitute an efficient attack against most applications and will be so for a while.

Mozilla Fixes Critical Flaw in Firefox in Less Than a Day
(March 20, 2017)

Mozilla has fixed a critical flaw in its Firefox browser 22 hours after the issue was discovered at the Pwn2Own competition last week. The vulnerability is fixed in Firefox 52.0.1, released on Friday, March 17. Those who found the bug received a USD 30,000 bounty. Firefox was the first vendor to fix a bug discovered at last week's Pwn2Own.

[Editor Comments]

[Williams] Kudos to the folks are Firefox for fixing this bug so quickly. 22 hours is a great turn around time for patching the vulnerability and testing the release.

US federal authorities have arrested a man for allegedly knowingly sending a tweet containing a strobing image to Newsweek writer Kurt Eichenwald, who has epilepsy. The tweet triggered a seizure. John Rayne Rivello has been charged with cyberstalking.

Police in Minnesota are asking Google to identify people who searched for certain terms associated with a crime they are investigating. Edina police are working in a bank fraud case in which USD 28,500 was wired out of an individual's account earlier this year. The perpetrator used a passport photo possibly obtained online. The warrant applies only to residents of Edina and only to searches conducted between December, 2016 and January 7, 2017.

[Editor Comments]

[Williams] Granting this warrant demonstrates a fundamental lack of understanding, by the judge, about the underlying technology.

Legislation introduced in the US House of Representatives would designate election systems as critical infrastructure. Its would also fund upgrades for the systems and look to the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) for security standards. The bill would cover storage facilities, polling places, voter databases, voting machines, and other systems involved in the election process.

Reasons for Microsoft's Patch Delay Still Vague
(March 16, 2017)

Dan Goodin writes that Microsoft has not adequately explained the recent month-long delay of its security patches. Patch Tuesday has been a regular event for more than 13 years and has never, until last month, been cancelled. The reason given for February's delay was an unspecified "last-minute issue." Goodin writes that "even if the cancellation was for the most banal of reasons, Microsoft's silence is just wrong. If protecting customers is truly Microsoft's top priority, company officials should explain exactly why they delayed critical bug fixes for four weeks."

UK Inter-ACE Cybersecurity Challenge
(March 20, 2017)

A team of students from Imperial College London, UK, has won the Inter-ACE cybersecurity competition, besting teams from 11 other universities. All universities that sent teams to the competition have been named Academic Centres of Excellence in cybersecurity. The competition was hosted by the University of Cambridge. Members of the winning team are guaranteed spots in the Cambridge2Cambridge (C2C) competition later this year, an event held jointly by the University of Cambridge and the Massachusetts Institute of Technology (MIT).